🎯 Security Researcher | Speaker | Open Source Contributor
I'm a Product Security Engineer focused on securing the software supply chain. My passion lies in offensive security research, tool development, and sharing knowledge with the community.
- 🔒 Creator of SCAGoat, a vulnerable-by-design application to benchmark SCA tools and simulate supply chain attacks.
- 🧰 Regular secure coding trainer, conference reviewer, and CTF enthusiast.
- 🔍 My research interests include OSS poisoning, model exposure abuse, malicious packages, and DevSecOps automation.
I believe in giving back to the community and actively contribute to key open source security projects:
- fixed software supply chain security for actions check in ossf/scorecard (#4678)
- fixed security for actions for the slsa-framework/slsa (#1474)
I have presented my research and tools at several top-tier security conferences, including:
- Black Hat USA 2025: CloudLens
- Black Hat Asia 2025: SCAGoat - Exploiting Damn Vulnerable and Compromised SCA Application
- Black Hat Europe 2024: SCAGoat - Exploiting Damn Vulnerable SCA Application
- DEF CON 32 (2024): SCAGoat Arsenal Tool
- AppSec Village DC 2025: Catch The Flow: Securing CI/CD with Flowlyt
- AppSec Village DC 2024: SCAGoat Arsenal Tool
📊 GitHub Stats & Achievements
📌 Featured Project: SCAGoat
A deliberately insecure and compromised SCA testbed that simulates:
- CVE exposure in Node.js and Spring Boot apps
- Malicious/compromised packages
- Reachability and fix validation workflows
Ideal for evaluating SCA tools, container scanners, and CI/CD defenses.
💬 Let’s connect to talk about research, secure development, OSS risks, or collaborations!